Legal
Privacy Policy
Effective date: 2026-03-31
This Privacy Policy explains how Moments collects, uses, and shares information when you use our website and services (the “Service”).
1) Who is responsible for your data (Controller)
The data controller for the Service is [Moments Legal Entity Name] (“Moments”, “we”, “us”, “our”). Our address is [Company Address].
You can contact us at [Privacy Email]. If required for your use case, you may also designate a Data Protection Officer (DPO) and list their contact details here.
2) What we collect
- Account data: name, email address, authentication and security information (for example, verification tokens), and basic account preferences.
- Event and gallery data: event titles/descriptions, dates, share codes, guest identity preferences, and related settings.
- Uploads (User Content): photos and other media you or your guests upload, along with related metadata you provide.
- Usage and device data: IP address, device identifiers, browser type, pages viewed, approximate location derived from IP, and logs necessary to operate and secure the Service.
- Billing data: purchase status, plan selections, receipts/invoices and transaction identifiers. Payment card details are handled by our payment provider, not stored by us.
- Support/contact data: messages you send us and related contact details.
3) How we use information
We use information to:
- Provide and operate the Service (accounts, event galleries, uploads, downloads).
- Process purchases and provide invoices/receipts.
- Prevent abuse, enforce our terms, and secure the Service.
- Communicate with you about your account and the Service (transactional emails).
- Send marketing communications where permitted (you can opt out at any time).
- Measure and improve the Service (analytics).
4) Legal bases (GDPR / UK GDPR)
If you are in the EU/EEA or UK, we rely on the following legal bases under GDPR/UK GDPR:
- Contract: to provide the Service you request (account, event galleries, storage, downloads).
- Legitimate interests: to secure, prevent abuse, and improve the Service (for example, fraud and security monitoring).
- Consent: for optional cookies/analytics/marketing where required. You may withdraw consent at any time.
- Legal obligation: where we must comply with law (for example, tax/accounting obligations).
5) Cookies and analytics (GA4, Umami)
We may use analytics tools to understand usage and improve the Service. Based on our current setup, we intend to use:
- Google Analytics (GA4) (if enabled): may set cookies or similar identifiers and collect usage/device data.
- Umami Analytics (if enabled): typically used as a privacy-friendly analytics option; configuration matters (cookie vs cookieless).
If you are in the EU/EEA/UK, we aim to request consent for non-essential analytics before loading them. You can also control cookies through your browser settings.
If we provide an in-product cookie preference control, you can manage it from the site footer or settings (when available).
6) Email (transactional and marketing)
We send transactional emails (for example, verification and password reset) to provide the Service. We may also send marketing emails if you opt in or where permitted by law.
Our current email delivery provider for authentication emails is Plunk. If we use additional email marketing providers, we will list them here.
You can opt out of marketing emails by using the unsubscribe link in those messages or by contacting us at [Support Email].
7) Payments and invoices
We use third-party payment/checkout providers to process payments and generate invoices/receipts. Our current integration includes Polar for checkout and invoice URLs.
We receive confirmation of purchases, transaction identifiers, and related billing metadata necessary to fulfill your purchase and support accounting.
8) How we share information
We may share information:
- With service providers (processors): hosting, storage (for uploads), email delivery, analytics, and payments.
- With event participants: content you upload to an event may be visible to hosts and guests you authorize through the event link/code and settings.
- For legal and security reasons: to comply with law, enforce our terms, or protect rights and safety.
- Business transfers: if we are involved in a merger, acquisition, or sale of assets.
9) International data transfers
We may process data outside your country. If you are in the EU/EEA/UK and your data is transferred to countries without an adequacy decision, we will rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and/or the UK International Data Transfer Addendum/IDTA, as applicable.
10) Data retention
We retain personal data as long as necessary to provide the Service and for legitimate business needs (for example, security, dispute resolution, and compliance with legal obligations).
- Account data: retained until you delete your account, subject to legal retention requirements.
- Uploads: retained while the event/gallery is active or as configured by the host, subject to plan limits and deletion requests.
- Billing records: retained as required by tax and accounting laws.
11) Security
We use administrative, technical, and physical safeguards designed to protect information. However, no method of transmission or storage is 100% secure.
12) Your rights (EU/EEA/UK)
If you are in the EU/EEA or UK, you may have rights to access, correct, delete, or port your personal data, and to restrict or object to certain processing. You also have the right to withdraw consent where processing is based on consent.
To exercise these rights, contact [Privacy Email]. You also have the right to lodge a complaint with your local supervisory authority.
13) US state privacy disclosures (including California)
Depending on your state of residence, you may have rights to access, delete, or correct personal information, and to opt out of certain disclosures of personal information (for example, “sale” or “sharing” for targeted advertising as defined by applicable law).
Sale / sharing: We do not sell personal information in exchange for money. If we use third-party advertising or analytics that qualifies as “sharing” for targeted advertising, we will provide an opt-out mechanism where required (for example, “Do Not Sell or Share My Personal Information”).
To make a request, contact [Privacy Email]. We may need to verify your request.
14) Children
The Service is not intended for children under 13, and we do not knowingly collect personal information from children under 13.
15) Changes to this Privacy Policy
We may update this Privacy Policy from time to time. If changes are material, we will take reasonable steps to notify you. The effective date above reflects the latest version.
16) Related documents
Please also review our Terms & Conditions.
Questions? Contact [Privacy Email].